Description:
CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is a web service that speeds up the distribution of your static and dynamic web content, such as .html, .css, .js, and image files to your users. Through a worldwide network of data centers, It delivers your content. This network of data centers is called edge locations.
Geo-restrictions also known as geo-blocking, when the organization does not want to access any application or content for particular geographical locations, Organization needs to prevent users in specific geographic locations from accessing content.
Here we ensure that CloudFront geo restriction feature. which use to restrict access at the country level.
Rationale:
Enabling this CloudFront geo-restriction for any particular country means it prevents users in specific countries from accessing your content. It should be enabled to allow access only from users in the whitelisted country or if the organization cannot distribute content in a particular country, It should deny access from users in the blacklisted country.
Impact:
It allows only those users who belong to one of the countries on a whitelist of approved countries.
If someone tries to access your content from one of the countries on a blacklist of banned countries it prevents those users
It gives you the ability to block IP addresses based on Geo IP.
If you enable it to secure your system or prevent DDoS attacks.
Default Value:
By default in the AWS account, no Distribution was created.
If you already created Distribution in CloudFront in this Distribution by default Geo Restrictions is disabled.
Pre-Requisite:
Your account should contain at least one CloudFront Distribution
After auditing, if you notice Geo Restriction is not enabled, follow the implementation steps to enable
Remediation:
Test Plan:
Step 1: Login AWS account and go to CloudFront console https://console.aws.amazon.com/cloudfront
Step 2: Click Distributions in the left navigation pane
Step 3: You can see if the distribution is created or not If any active distribution is available in your account then click the Viewing dropdown menu and select the Web option
Step 4: Select the CDN distribution that you want to examine and click on the Distribution Settings button
Step 5: Click on the Restriction tab and check the status of Geo Restriction. 
Note: If the status is Disabled for the selected CloudFront distribution, the distribution configuration is not compliant.
→ Repeat all the above steps to verify the geo-restriction feature for other Amazon CloudFront CDN distributions
Using AWS CLI:
Step 1: To list CloudFront distributions
aws cloudfront list-distributions
Step 2: Get the information about the distribution
aws cloudfront get-distribution --id <distribuiton_id>
Step 3: Get the configuration information about the distribution
aws cloudfront get-distribution-config --id <distribution_id>
Implementation Steps:
Step 1: Login AWS account and go to CloudFront console https://console.aws.amazon.com/cloudfront
Step 2: Click Distributions in the left navigation pane
Step 3: Select the distribution that you want to update and then click on the Distribution Settings button
Step 4: In the Distribution Setting pane, click on the Restrictions tabs
Step 5: Select Geo Restriction and click on the Edit button
Step 6: Click on the Yes radio button then you see Restriction Type in the restriction type it contains Whitelist and Blacklist below this Countries list select any country for whitelist or blacklist and click on Add >> button you can remove the country from the list by clicking on << Remove button
Note: If you select restriction type to Whitelist then add countries into the list which you want to enable, for disable remove from the list. If you select restriction type to Blacklist, add countries that you don’t want to allow.
Step7:As per your choice do the whitelisting or blacklisting the country list then click on the Yes, Edit button
Using AWS CLI:
To enable the geo-restriction
aws cloudfront update-distribution
--id <value>
--distribution-config file://enable-geo-restriction.json
--if-match <value>To Disable the geo-restriction
aws cloudfront update-distribution
--id <value>
--distribution-config file://disable-geo-restriction.json
--if-match <value>
Backout Plan:
Remove the added country from the whitelist:
Step 1: Login AWS account and go to CloudFront console https://console.aws.amazon.com/cloudfront
Step 2: Select the distribution that you want to update and then click on the Distribution Settings button
Step 3: In the Distribution Setting pane, click on the Restrictions tabs
Step 4: Select Geo Restriction and click on the Edit button
Step 5: Select the country which you want to remove from the whitelist and click on the Remove button
Step 6: After removing the country from your whitelist click on the Yes, Edit button
Note: Similarly if you want to remove countries from the blacklist follow the same steps.
Note: If you don’t want any Allow list and Blocklist then we can on No Restrictions
If you want to Delete the Distribution then follow the below steps:
Step 1: Select the distribution and click on disable button
Step 2: Click on the Yes, Disable button
Step 3: And click on the Delete button
→ Click on the Yes, Delete button
aws cloudfront delete-distribution --id <value> --if-match <value>
